API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-0616 | Netsis Panel: unauthenticated SQLi enables data exfiltration | B2B - Netsis Panel | 8.2 |
| MEDIUM | CVE-2026-50634 | Apache CXF: JWS signature bypass exposes JAX-RS APIs | 6.5 | |
| UNKNOWN | CVE-2026-49347 | QuestBot: resource exhaustion via unlimited ticket creation | - | |
| UNKNOWN | CVE-2026-8828 | ChromaDB: tenant isolation bypass exposes all tenant data | chromadb | - |
| MEDIUM | CVE-2026-53830 | OpenClaw: stale webhook secrets bypass revocation | OpenClaw | 6.5 |
| MEDIUM | GHSA-534h-c3cw-v3h9 | Nuxt: local unauth IPC leaks .env secrets on shared hosts | nuxt | 5.5 |
| HIGH | CVE-2026-53721 | Nuxt: auth bypass via URL case-sensitivity mismatch | nuxt | - |
| MEDIUM | GHSA-c9cv-mq2m-ppp3 | Nuxt: open redirect + XSS in navigation API (SSR+client) | nuxt | - |
| CRITICAL | CVE-2026-48746 | vllm: auth bypass exposes OpenAI inference API | vllm | 9.1 |
| HIGH | CVE-2026-53840 | OpenClaw: credential exfiltration via MCP header forwarding | openclaw | 7.1 |
| MEDIUM | CVE-2026-53852 | OpenClaw: scope bypass allows unauthorized device access | openclaw | 5.4 |
| CRITICAL | CVE-2026-49468 | LiteLLM: auth bypass via Host header spoofing | litellm | 8.1 |
| LOW | GHSA-m3q2-p4fw-w38m | Nuxt: NoScript XSS enables script execution in head | nuxt | - |
| MEDIUM | CVE-2026-54015 | Open WebUI: IDOR exposes private prompt history | open-webui | 6.4 |
| HIGH | CVE-2026-54013 | Open WebUI: stored SVG XSS enables full account takeover | open-webui | 7.6 |
| HIGH | CVE-2026-54010 | Open WebUI: IDOR allows cross-user file read and delete | open-webui | 8.3 |
| MEDIUM | CVE-2026-54009 | open-webui: cross-user file read via auth bypass | open-webui | 6.5 |
| HIGH | CVE-2026-54008 | open-webui: SSRF via OAuth picture redirect bypass | open-webui | 8.5 |
| HIGH | CVE-2026-54007 | open-webui: cross-origin postMessage forces model execution | open-webui | - |
| MEDIUM | CVE-2026-54233 | vLLM: decompression bomb OOM via audio endpoint | vllm | 6.5 |